Privacy Policy

How Tracemate collects, uses, and protects your personal data

Last updated June 19, 2026 · 18 min read

At Tracemate ("Tracemate," "we," "us," or "our"), a service provided by Bartels Software Studio OÜ, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at tracematehq.com (the "Service").

1. Information We Collect

1.1 Information You Provide

We collect information that you voluntarily provide when you:

  • Create an account: Email address and name (required for authentication and communication)
  • Upload images for tracing: Images you upload to create custom Gridfinity bin designs
  • Save design projects: Your bin configurations and design settings
  • Contact us for support: Any information you provide in communications with us
  • Purchase a subscription: Payment and billing information processed by our merchant of record (see Section 4)

1.2 Automatically Collected Information

When you access the Service, we may automatically collect certain technical information necessary for the operation of internet services and security purposes:

  • Device information: Browser type, operating system, screen resolution
  • Network information: IP address (may be stored in logs for security purposes)
  • Browser user agent: Technical browser identification string
  • Access timestamps: Date and time of your visits

This technical information is inherent to how the internet works and is necessary to deliver web content to your device. Some of this data may be retained in server logs for security monitoring and incident investigation.

1.3 Analytics Data

We use Umami, a privacy-focused, self-hosted analytics solution in a cookie-free configuration:

  • No cookies are used for analytics tracking
  • No advertising or cross-site tracking
  • Analytics data is aggregated where possible
  • IP addresses may be processed transiently for technical delivery but are not used for profiling or stored long-term

We analyze only summarized metrics to understand general usage patterns, identify areas for improvement, and improve the overall user experience. No individual user tracking or profiling is performed.

1.4 Uploaded Content Warning

Please avoid uploading images containing sensitive personal data or identifiable individuals (such as photos containing people, names on labels, or addresses on packaging) unless you have the right to share them. You are responsible for ensuring you have appropriate rights to any content you upload.

2. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

2.1 Contract Performance

  • Account creation and login: Email and name are required to provide you with access to the Service
  • Generating designs from uploads: Processing your uploaded images to create Gridfinity bin designs
  • Automatic object naming: After on-device tracing, and only when you have enabled cloud AI processing, sending small rectified object crops to our configured AI provider to suggest object and project names
  • Transactional emails: Sending account verification, password reset, and subscription updates
  • Subscription management: Processing subscription data shared by Polar.sh

2.2 Legitimate Interest

  • Security logs and abuse prevention: Processing IP addresses and timestamps to protect the Service and users
  • Support communications: Responding to your inquiries and providing assistance
  • Service improvement: Analyzing aggregated usage patterns to enhance features

2.3 Legal Obligation

  • Tax and accounting records: Retaining transaction records as required by law
  • Legal requests: Responding to valid legal processes

3. How We Use Your Information

We use the collected information for the following purposes:

  • Provide the Service: Process your uploads, generate Gridfinity bin designs, and maintain your account
  • On-device outline detection: If you use Zauberstab, the segmentation runs entirely in your browser. No image, point, or prompt data is sent to any server or third party for this feature.
  • Authentication: Verify your identity and manage access to your account
  • Communication: Send transactional emails (account verification, password reset, subscription updates) and respond to support inquiries
  • Improve the Service: Analyze aggregated usage patterns to enhance features and user experience
  • Security: Detect and prevent fraud, abuse, and security incidents
  • Legal Compliance: Comply with applicable laws and regulations

4. Data Storage and Infrastructure

We use the following service providers to operate our Service. Each provider has been selected for their security practices and compliance with data protection regulations:

4.1 Hosting and Infrastructure

  • Hetzner: Our servers are hosted in Germany (EU) and are protected under GDPR
  • Convex: Backend processing for our application, storing your account data and project files with encryption in transit and at rest

4.2 Communication Services

  • Google Workspace: Used for direct email communication (e.g., support inquiries sent to our email addresses)
  • Resend: Transactional email delivery service for account notifications

4.3 Domain and DNS

  • Spaceship: Domain registration and DNS management

4.4 On-Device Detection and Optional Object Naming

Zauberstab runs entirely on your device. The segmentation model and the runtime that powers it are served from our own origin, and all processing happens locally in your browser. No image, point, or prompt data is sent to any server or third party when you use Zauberstab, so it is not gated by the cloud AI processing setting.

Automatic object naming is a separate, optional feature governed by the "Cloud AI processing" setting in your profile. This setting is enabled by default; you can turn it off at any time, after which no images are sent for naming. Object naming may run after on-device tracing so object and project names can be suggested without manual entry. It is free and does not consume any credits.

  • Zauberstab: Nothing leaves your device. The SlimSAM segmentation model and the ONNX Runtime that executes it are served from our own origin (not a third-party CDN), and all inference happens in your browser.
  • Data sent for object naming: Only small JPEG crops of detected objects from the rectified A4 image (downscaled to a maximum of 320 pixels per side), object IDs, provider label, and model label are sent to the AI provider. Original uploads, EXIF/GPS metadata, and user-entered object names are not sent for naming.
  • Provider: Object naming runs on the Google Gemini API (Google Cloud), which performs server-side model inference only. This is the only external AI provider we use.
  • Current model label: configurable. For object naming we use a Google Gemini model such as "gemini-2.5-flash-lite". Provider and model labels are tracked server-side for auditability.
  • What we store: Minimal audit records for object naming containing user ID, project ID, provider, model, status, and object count. Suggested object names and the generated project name are stored on the project so they can be shown in tracing, the 3D model, and your profile.

4.5 Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest
  • Regular security assessments and monitoring
  • Access controls and authentication
  • Secure development practices

4.6 Data Retention

We retain your personal information for the following periods:

  • Account data: Kept until you delete your account
  • Uploaded images and projects: Stored until deleted by you or upon account deletion
  • Object naming audit records: Stored until account deletion or until no longer needed for abuse prevention and support
  • Server and security logs: Retained for up to 90 days for security monitoring
  • Transaction records: Retained as required by tax and accounting laws (typically 7 years)
  • Support correspondence: Retained for up to 2 years after resolution

You may delete your account and data at any time through the self-service account deletion feature in your profile settings. Data contained in backups is deleted within the backup retention period.

5. Payments and Subscriptions

Subscription payments and billing are handled by Polar.sh, which acts as our Merchant of Record.

Regarding payment data:

  • Credit card and payment details are collected and processed exclusively by Polar.sh
  • We never store sensitive payment information on our servers
  • Polar.sh may share with us: your name, email, subscription status, purchase history, and billing country for account management purposes

Please review Polar.sh's Privacy Policy for details on how they handle payment data.

6. Sharing of Information

We do not sell your personal information. We may share your information only in the following circumstances:

  • Service Providers: With the trusted third-party services listed in Section 4, solely for operating the Service
  • Optional AI Provider: With Google (Gemini API) when automatic object naming suggests labels after tracing, and only when Cloud AI processing is enabled. Only small rectified object crops and object IDs are shared. Zauberstab runs on your device and shares nothing.
  • Payment Processor: With Polar.sh for subscription management (as detailed in Section 5)
  • Legal Requirements: When required by law, court order, or governmental authority, or to protect our rights, safety, or property
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with advance notice where possible

7. Cookies and Tracking

We take a privacy-first approach to cookies and tracking technologies:

7.1 Essential Cookies

We use essential cookies for login sessions and security. These cookies are strictly necessary for the Service to function and cannot be disabled.

7.2 Analytics

Our Umami analytics operates in a cookie-free configuration and does not set any cookies on your device.

7.3 No Advertising Cookies

We do not use third-party tracking, advertising, or marketing cookies.

You can control cookie preferences through your browser settings. Disabling essential cookies may affect your ability to use certain features of the Service.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 Rights Under GDPR (EU/EEA Residents)

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Portability: Receive your data in a machine-readable format
  • Restriction: Request limitation of processing
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent

8.2 Rights Under Other Laws

Residents of California (CCPA), Brazil (LGPD), and other jurisdictions with privacy laws may have similar rights. We will honor valid requests in accordance with applicable laws.

8.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at help@tracematehq.com. We will respond within the timeframe required by applicable law (typically 30 days). In complex cases, we may extend this period by up to two additional months where permitted by law.

8.4 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your personal data in accordance with applicable law. For Estonia, this is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

9. International Data Transfers

Our primary hosting infrastructure is located in Germany (EU).

Some of our service providers (such as Convex) may process data outside the EU/EEA. When this occurs, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the EU
  • Adequacy decisions by the European Commission
  • Other legally recognized transfer mechanisms

10. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at help@tracematehq.com.

11. Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with service providers that process personal data on our behalf, as required under GDPR.

If you require a copy of our DPA for your records, please contact us.

12. Automated Decision-Making

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the new Privacy Policy on this page with an updated "Last updated" date
  • Sending an email notification for significant changes (where required by law)

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes your acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Tracemate turns a photo into a custom-fit Gridfinity bin. Trace your first object.